Shreeraj Shah, Blueinfy

// july 24 - 27

USA 2010 Weekend Training Session //July 24-25

USA 2010 Weekday Training Session //July 26-27

Overview:

Enterprise application source code, independent of languages and platforms, is a major source of vulnerabilities. The class is designed and developed to focus on enterprise architecture and application analytics to discover vulnerabilities. One of the CSI surveys on vulnerability distribution suggests that in 64% of cases, a vulnerability crops up due to programming errors and in 36% of cases, due to configuration issues. We will be covering analysis techniques, with tools, for assessment and review of enterprise application source code. Enterprise 2.0 and mashups, along with other different Web 2.0 concepts, reinforced by hands-on experience, will help in understanding next generation application requirements.

It is imperative to know source code review methodologies and strategies for analysis. The emphasis of the class would be to develop a complete understanding of source code analysis, audit methodologies, techniques and tools. Knowledge gained would help in analyzing and securing enterprise applications at all different stages - architecture, design and/or development. The course is designed by the author of "Web Hacking: Attacks and Defenses", “Hacking Web Services” and “Web 2.0 Security – Defending Ajax, RIA and SOA”, bringing his experience in application security and research to the curriculum. Special focus is given to compliance and Top-25 errors for enterprise applications.

This class is hands-on and needs laptops to implement its numerous exercises designed to run hand-in-hand with their concepts. The class features real life cases, hands-on exercises, code scanning tools and defense plans. Participants would be methodically taken down to the source code level and exposed to the possible flaws in architecture, design and coding practices. The class would then focus on the proper ways of writing secure code and analyzing the code base.

Client side coding and security for Ajax and JavaScript analysis, Flash based application reviews and Browser security.

Understanding of various tools and frameworks with hands-on experience.

Course timeline:

2 Days with regular breaks

teaching methods:

All concepts taught in this class are punctuated with hands-on exercises based on situations observed in real life. The class ends with a challenge exercise. Working within a limited time period, participants are expected to analyze the code, identify loopholes, exploit vulnerabilities present in the applications and suggest appropriate defense strategies.

Student Requirements:

Basic knowledge on Enterprise Application Architecture and Design.

Understanding of one of the languages from Java, C# (.NET) or PHP.

Familiarity with application scanning tools and approaches would be handy.

Script writing ability using perl, ruby or python would help in coding quick tools (Not a must)

It is also recommended for someone who is new to the application security space and is looking for quick lessons in source code audit and testing.

What you should bring:

Students should bring a copy of the Web Application Hacker’s Handbook. A standard windows, Linux or Mac laptop should be brought with Java installed, capable of running Burp Suite

What you will get:

Slide hand-outs

Trainers:

Shreeraj Shah, B.E., MSCS, MBA, is the founder of Blueinfy, a company that provides application security services. Prior to founding Blueinfy, he was founder and board member at Net Square. He also worked with Foundstone (McAfee), Chase Manhattan Bank and IBM in security space.

He is also the author of popular books like Hacking Web Services (Thomson 06) and Web Hacking: Attacks and Defense (Addison-Wesley 03). In addition, he has published several advisories, tools, and whitepapers, and has presented at numerous conferences including RSA, AusCERT, InfosecWorld (Misti), HackInTheBox, Blackhat, OSCON, Bellua, Syscan, ISACA etc. His articles are regularly published on Securityfocus, InformIT, DevX, O’reilly, HNS. His work has been quoted on BBC, Dark Reading, Bank Technology as an expert.

Shreeraj was instrumental in product development, researching new methodologies and training designs. He has performed several security consulting assignments in the area of penetration testing, code reviews, web application assessments, security architecture reviews and managing projects

Vimal Patel is founder of Blueinfy, a company that provides products and services for application security. Vimal leads research and product development efforts at Blueinfy.

Prior to founding Blueinfy, he held position of Vice President at Citigroup where he led architecture, design and development of various financial applications. Vimal holds Masters in Computer Science.

Vimal has over a decade of experience and expertise in many technologies. His experience ranges from design of complex digital circuits and microcontroller based products to enterprise applications.